Using video conferencing tools to communicate with colleagues

During the COVID-19 outbreak staff working in health and care organisations need to be able to communicate with each other whilst working remotely.  We encourage the use of video conferencing software to support communications. 

This advice note sets out the information governance considerations when staff are using video conferencing (VC) tools to communicate with other members of staff. It does not cover the use of these tools for patient/clinician interactions, or the usage of these tools for any other purposes. Advice on using video conferencing with patients and service users can be found here.

I work in a health and care organisation - what does this mean for me?

Microsoft Teams can be used for meetings between colleagues. Further information about this can be found here.  You may also use other tools but you should check with your own organisation that they have carried out the appropriate risk assessments.

When using video conferencing tools there are some steps you can take to make it as safe as possible:

  • ensure that you update the software frequently for any tool you use;
  • ensure meetings are password protected - otherwise uninvited attendees may be able to join or disrupt your meeting;
  • be aware of privacy settings in any software you use - for example using the default ‘private’ setting within Microsoft Teams rather than changing to ‘public’;
  • hold people who have joined the conference in a waiting area until you have verified their identity;
  • be aware of phishing risks with links/attachments in video chat.

If you need to share personal/confidential patient information during your video call you should apply the same principles you would at any other time. This is in addition to the steps set out above.

I’m an IG professional - what does this mean for me?

There are a number of video conferencing software tools available to use during this time. NHS Digital has assured the use of Microsoft Teams as a secure video conferencing tool. More information on this can be found here.

Other conferencing tools (e.g. Zoom, Webex) are not assured nationally. This does not mean they should not be used, but it is important to note that it is an organisation’s own responsibility to perform risk assessments on any products that are used. Guidance issued by the National Cyber Security Centre (NCSC) may be used to support your decision making.

The key considerations include: 

  • Where is the app sending the data?
  • Are video calls encrypted end-to-end?
  • Are people able to record meetings (with third party software) freely without authorisation from the host?
  • Are there paid options for video conferencing services that offer enhanced security or privacy features?

You should review your video conferencing arrangements when the outbreak is over e.g. the video conferencing tool you are using during the outbreak may not be the right tool for the job in the long term.

Personal/confidential patient information and video conferencing

If your organisation is going to share personal/confidential patient information during video conferencing in ways not already covered by an existing Data Protection Impact Assessment (DPIA) then a short high level DPIA should be carried out, as required under the GDPR/DPA 2018. The DPIA should set out the activity being proposed; the data protection risks; whether the proposed activity is necessary and proportionate; the mitigating actions that can be put in place and a plan or confirmation that mitigation has been put in place. The Information Commissioner’s Office (ICO) has produced guidance on carrying out DPIAs and a template that you can refer to. You should also update your privacy notice where data is being processed in new ways.

For further information please see the ICO’s blog on video conferencing.